Fake Zoom Sites Spreading Vidar Stealer
During a routine threat hunting exercise, Cyble Research and Intelligence Labs (CRIL) came across a tweet where a researcher mentioned the creation of multiple fake Zoom sites. All these sites have the same user interface. These sites are created with the express intent of spreading malware disguised as the legitimate Zoom application.
During further investigation, we discovered that these sites were spreading Vidar Stealer. Vidar is an Information Stealing malware that steals the victim’s banking information, saved passwords, IP addresses, browser history, login credentials, and crypto-wallets. This stealer has links to the Arkei stealer. The figure below shows the Fake Zoom Site.
Analysis
The fake Zoom sites which are currently in use include:
- zoom-download[.]host
- zoom-download[.]space
- zoom-download[.]fun
- zoomus[.]host
- zoomus[.]tech
- zoomus[.]website
The site redirects to the following GitHub URL in the backend to download the malicious application.
https[:]//github[.]com/sgrfbnfhgrhthr/csdvmghfmgfd/raw/main/Zoom.zip. The figure below shows the redirects that occurred in the backend.
Upon execution, the malicious application drops two binaries in the temporary folder :
- ZOOMIN~1.EXE
- Decoder.exe
Decoder.exe is a malicious .NET binary that injects the malicious stealer code into MSBuild.exe. Microsoft Build Engine (MSBuild) is a platform used to build applications. ZOOMIN~1.EXE is a clean file that launches the legitimate Zoom installer.
The figure below shows the Process Tree of the malicious application.
After being injected into MSBuild.exe, the malware extracts the IP addresses that host the DLLs and configuration data. The malware uses the below mentioned URLs to extract the IP addresses if anyone of them are online.
- https[:]//t[.]me/karacakahve
- https[:]//ieji[.]de/@tiagoa96
The figure below shows the malware’s network activity.
Threat Actors (TA) have used this technique to hide Command and Control (C&C) IP addresses. The figure below shows the IP present on the profile description of Telegram user “@karacakahve” and user ID “@tiagoa96” on ieji.de.
The malware receives the configuration data and DLLs from the C&C servers at this stage. The figure below displays the network activity with the C&C server.
We found that this malware had overlapping Tactics, Techniques, and Procedures (TTPs) with Vidar Stealer. In comparison with our previous analysis of Vidar Stealer, this malware Payload hides the C&C IP address in the Telegram description. The rest of the infection techniques appear to be similar.
The figure below shows the Hardcoded stealer strings.
Upon successful execution, the malware uses the following commands to uninstall itself from the victim’s device.
“C:\Windows\System32\cmd.exe” /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q
“C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe” & del C:\PrograData\*.dll & exit
Conclusion
Based on our recent observations, TAs actively run multiple campaigns to spread information stealers. Stealer Logs can provide access to compromised endpoints, which are sold on cybercrime marketplaces. We have seen multiple breaches where stealer logs have provided the necessary initial access to the victim’s network. This campaign appears to target Zoom users. We suggest identifying the legitimacy of the source before downloading any executables.
Our RecommendationsÂ
​We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below: ​Â
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., contains such malware. Â
- Use strong passwords and enforce multi-factor authentication wherever possible.  
- Turn on the automatic software update feature on your computer, mobile, and other connected devices. 
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. 
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.  
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. 
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez. 
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
​MITRE ATT&CK® TechniquesÂ
​Â
| ​Tactic | ​Technique ID | ​Technique Name |
| ​Initial Access | ​T1566 | ​Phishing |
| ​Execution | ​T1204 | ​User Execution |
| ​Credential Access | ​T1555 T1539 T1552 | ​Credentials from Password Stores Steal Web Session Cookie Unsecured Credentials |
| ​Collection | ​T1113 | ​Screen Capture |
| ​Discovery | ​T1087 ​T1518 ​ T1057 ​T1007 ​ T1614 | ​Account Discovery ​ Software Discovery ​Process Discovery ​ System Service Discovery ​ System Location Discovery |
| ​Command and Control | ​T1095 | ​Non-Application Layer Protocol |
| ​Exfiltration | ​T1041 | ​Exfiltration Over C&C Channel   |
​
​Indicators of Compromise (IoCs):  Â
​
| ​Indicators | ​Indicator type | ​Description |
| 19aff3d6ed110a9037aff507cac4077f caa99a9682d20e657b58d9d508f6d4921d6b606b f2efaa8e2d001d9c7872ab0a374480bec010aeaa9dbdb932cc058530ad125217 | MD5 SHA1 SHA256 | Malicious Zoom Application |
| 19AFF3D6ED110A9037AFF507CAC4077F a8917dc3caf3485108485bf12c79de8f792e415e 32fa5edf4da5eff4ca9313f3466df85da73a6e2498b2c88ad1e3403b3979e6f4 | MD5 SHA1 SHA256 | Loader File |
| 79[.]124.78.206 | IP | C&C IP |
| 116[.]202.179.139 | IP | C&C IP |
| 193[.]106.191.223 | IP | Malicious IP |
